SCADA Security: The Five Stages of Cyber Grief

  • View

  • Download

Embed Size (px)


Learn the five stages of grief that organizations seem to pass through as they come to terms with security risks and how far we’ve come regarding Industrial Control Systems.

Text of SCADA Security: The Five Stages of Cyber Grief

  • 1. SCADA Security: The Five Stages of Cyber Grief Tom Cross Director of Security Research
  • 2. Vulnerabilities Im credited on MFSA2008-37 Mozilla Stack Buer Overow cisco-sa-20070808-IOS-IPv6-leak InformaDon Leakage Using IPv6 RouDng Header in Cisco IOS and Cisco IOS- XR MS07-033 Internet Explorer COM object instanDaDon CVE-2007-2388 Apple QuickDme for Java remote code execuDon MS06-036 Windows SMB Denial of Service X-Force Alert 228 Asterisk PBX Denial of Service X-Force Alert 229 Asterisk PBX Trac AmplicaDon
  • 3. The 5 Stages of Cyber Grief
  • 4. Its not connected to the Internet. Stage 1: Denial
  • 5. "In our experience in hundreds of vulnerability assessments in the private sector, in no case have we ever found the opera.ons network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connec.ons between those networks. Source: Sean McGurk, Verizon The Subcommi_ee on NaDonal Security, Homeland Defense, and Foreign OperaDons May 25, 2011 hearing. Its connected to the Internet.
  • 6. SHODAN Project STRIDE: To date, we have discovered over 500,000 control system related nodes world- wide on the internet. About 30% are from the US, and most are on ISP addresses.
  • 7. ICS Cert In February 2011, independent security researcher Ruben Santamarta used SHODAN to idenDfy online remote access links to mul0ple u0lity companies Supervisory Control and Data Acquisi0on (SCADA) systems. In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access congured with default logon creden0als. In September 2011, independent researcher Eireann Levere_ contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.
  • 8. Stage 2: Anger
  • 9. Stage 3: Bargaining
  • 10. Stage 3: Bargaining Stuxnet First widely reported use of malware to destroy a physical plant Extremely sophisDcated Jumped the air-gap via USB keys Widespread infecDons throughout the Internet Shamoon Targeted the energy sector DestrucDve Over writes les Destroys the Master Boot Record Stuxnet infecDons, source Symantec:
  • 11. ICS Honeypot Results Kyle Wilhoit Trend Micro Threat Research Team
  • 12. DDOS AFacks More Automated & Powerful Prolexic Q2 2012 to Q2 2013 33% increase in a_acks 925% increase in bandwidth 4.47 Gbps to 49.24 Gbps 1655% increase in packets per second 2.7 Mpps to 47.4 Mpps
  • 13. Stage 4: Depression
  • 14. Stage 4: Depression The Patching Treadmill Control systems are not designed to be shut down regularly EnDre systems may need to be shut down for a single patch install Patching may mean upgrading Upgrades can cascade through a system Even assessments may require downDme! Patching leads to InterconnecDvity InterconnecDvity leads to compromise SoluDons? Third-Party Run-Time In-Memory Patching? Intrusion PrevenDon Systems?
  • 15. Stage 5: Acceptance What would acceptance mean? Genng serious about interconnecDvity We need to nd new ways to work We need to accept some inconvenience Designing systems for patchability Systems that can be patched without being restarted Hot Standby failover Patches that do not require upgrades Security patches that can be accepted without performance concerns Built in IDS capability? Designing systems for failure
  • 16. Lancope does Netflow
  • 17. Network Visibility through Netflow DMZ VPN Internal Network Internet NetFlow Packets src and dst ip src and dst port start time end time mac address byte count - more - NetFlow 3G Internet 3G Internet NetFlow NetFlow NetFlow NetFlow NetFlow Collector
  • 18. Intrusion Audit Trails 1:06:15 PM: Internal Host Visits Malicious Web Site 1:06:30 PM: Malware InfecDon Complete, Accesses Internet Command and Control 1:06:35 PM: Malware begins scanning internal network 1:13:59 PM: MulDple internal infected hosts 1:07:00 PM: Gateway malware analysis idenDes the transacDon as malicious 1:14:00 PM: Administrators manually disconnect the iniDal infected host Do you know what went on while you were miDgaDng?
  • 19. Behavioral Anomaly Detection
  • 20. Thank you! Tom Cross Director of Security Research